Drunk after smashing pints in an Irish bar in SF all evening.
Only hot girl in the pub was the aussie barmaid who is from Newie and has been here for five years. Seems frothy.
Looks like a job offer is incoming so you dicks are getting rid of me barring a spectacularly disappointing dollar figure being pointed at me.

Then, they tried password recovery at Gmail. Since 2FA was turned off, they were presented with the message "We will send you an email to your secondary address: m**n@me.com" So, they knew his address was *mhonan@me.com, and they had to gain control of his Apple Account. Honan fail: Two factor auth should be turned on.

So they targeted his Amazon account instead! They grabbed his address from the whois info of emptypage.com, and called Amazon support to add a new (bogus) credit card to his account. Info needed: email address and billing address. Done. Honan fail: Your real address is on the whois of your domain? Seriously? How is it needed for anything? To all the followers of the SEorg podcast, this isn't news but then again, this was they key to everything else.

Then, they called amazon again, to have his password reset. Info needed: email, billing address, and last 4 digits of any card number associated with the account. Amazon fail: they should require the card to have been "validated" by a successful payment/delivery. If they had done so, the card would have needed to be valid, and an unknown purchase made by a card you don't own is a big red flag.

Now they have access to the Amazon account. From it, they lift the last four digits of his (real) credit card number.

Finally, they call Apple support to have his password reset. Info needed: email, billing address, last four digits of credit card. Done. Apple fail: a credit card number is pretty much public information. Even more so the last four digits. (Fun fact: on credit card payment receipts, the masking of the CC number is inconsistent, sometimes the middle, sometimes the ends, so you can basically reconstruct it from various receipts left in, for instance, a car or a dumpster)

From there, it's the old password reset daisy chain. But they went with the tabula rasa approach to ensure control of the twitter account: change associated email address, deactivate gmail account, and wipe all devices associated with the AppleID.

commentary from someone at SA:

Quote:

"He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal."

thats g*y as h*eck

all that effort purely for twitter

burn the planet

i know the first three numbers

The Following User Says Thank You to RunningWithScissors For This Useful Post:

also what's the etiquette re: having 6 friends with birthdays when you really only care about 4 of them enough to write a happy birthday wall post but then the other 2 might be friends with some of them and see those messages and then wonder why they didn't get one themselves

Spoiler:

bede and madmike aren't the other 2, lol

p.s. happy birthday trase for the other day, i was going to make you a video edit ala gruso/blue moon but then i didn't